A PayPal Australia and ACIS paper has found that 90 per cent of Aussies are confident their passwords aren’t guessable and reuse one password across many sites for simplified signon. … many Australian internet users underestimated the threat from cyber criminals that steal passwords from one site and use attempt to use them across other [...]
A PayPal Australia and ACIS paper has found that 90 per cent of Aussies are confident their passwords aren’t guessable and reuse one password across many sites for simplified signon. … many Australian internet users underestimated the threat from cyber criminals that steal passwords from one site and use attempt to use them across other [...]
“Cracking Lion Passwords” might be a somewhat sensationalist headline but Patrick at www.defenceindepth.net has found an interesting weakness in OSX Lion. With access to a console, you can reset passwords for other users without even having to be an admin / su / guy with those powers. Using “dscl” (Directory Service Command Line utility) you can access [...]
This actually scared me after years of advocating / enforcing password complexity without perhaps thinking about it so much. Not sure if this takes into account dictionary style attacks.
Once upon a time while doing the corporate identity management thing, we incubated an idea for and deployed (ish) a self service password reset (SSPR) solution for a bank. Self service password reset is one of the best corporate identity management toys by far as it basically it basically writes its own business case. Large [...]
DropBox inadvertently implemented simplified signon yesterday when a code change negated the need for passwords for around 4 hours. The bug was published at 1:54pm Pacific time, discovered at 5:41pm and a fix was live at 5:46. For a change that quick, I guess they either rolled back the authentication code, or it was a really simple bug [...]
In my first post of 2011, RSA believes the SMS one time passwords used popularly by mobile banking sites will come under increased attack by organised crime elements during 2011. http://www.zdnet.com.au/sms-bank-tokens-vulnerable-rsa-339308633.htm welcome all to 2011.
Hi to all you Identricity readers, Thanks for visiting and engaging during 2010 and I wish you all a very Merry Christmas and a Happy New Year! Cheers, Adrian
Unix Identity Management: ITNews reports that AUSKey, the soft-token 2FA used to access a number of Australian government online services, is now (somewhat) compatible with Linux. The ATO announced that the AUSkey registration, download and installation process had been successfully tested with Ubuntu 10.04 and Firefox 3.6, and may also work with other versions of [...]
Oracle finally announced yesterday they are purchasing single signon vendor Passlogix. Passlogix provides one of the most widely deployed and mature enterprise single signon platforms around. You might have read a little bias into that line – last year I evaluated Passlogix against IBM and other solutions on the market and ended up architecting a [...]
Hot on the heels of Google’s web access management announcements, Microsoft have made changes to the way Hotmail handles forgotten passwords. Users will be able to nominate “Trusted” PCs, from which password resets can be processed, and opt to register a mobile phone four SMS 2FA. “Rather than rely on an alternate e-mail address and [...]
Its been an interesting 2 weeks for Google and web access management. Last week they announced SMS 2FA support for google apps. Today they announced support for OAuth as well as the protocol to authorise 3rd party applications. Up until now you would have received a redirect to a Google login page where you had to put [...]
ASP.NET Forms are a pretty common mechanism for web access management (when combined with NTFS permissions) for .NET web applications. Security researchers, Thai Duong and Juliano Rizzo have discovered a technique to compromise an ASP.NET Forms Authentication cookie when using AES encryption. It’s worth noting that the attack is 100% reliable, i.e. one can be [...]
Atlassian is an Aussie company more famous for the Confluence Wiki and Jira bug tracking software than Crowd – their IdM product suite (if being generous) / stack of identity stuff (more on target). Crowd includes an .NET SSO application framework (think raw web access management), some basic provisioning and OpenID integration. I heard about [...]
Just saw an article over on Network World that Quest Software just bought ActiveEntry from Volcker Informatik AG. From a brief skim of the website, ActiveEntry looks like a heavily MS centric provisioning / workflow system – which sounds quite similar to Quest’s existing Active Roles server product. I haven’t had the chance to play [...]
A little askew of idm, but of industry relevance, Japanese telco NTT has made a $3.6 billion offer for global IT services firm Dimension Data. What’s the relevance you may ask? Well in 2007 Verizon made a similar move and bought Cybertrust for its security consulting, assessment and managed security services starting the transformation to [...]
Microsoft announced at the RSA conference that they’re shipping (finally!) the GA version of Microsoft Forefront Identity Manager (FIM) 2010. We recently deployed an early adopter release of FIM here to synchronise accounts between the various Active Directories in different parts of the organisation and our Lotus Notes infrastructure. That project was kind enough to [...]
I’ll have to look into this further, but it looks like Novell are providing some toolkits to embed identity and access management into internally developed web apps and for those companies building cloud computing apps. http://www.arnnet.com.au/article/328877/novell_vows_first_identity_management_cloud_virtualized_apps?eid=-100 The upcoming Novell Identity Manager 4 will add the new ability for IT managers embed identity management and other [...]
So, Westpac and CBA have introduced SMS One Time Passwords (OTP) to provide second factor authentication (2FA). I bank with CBA (email address on my About link, phishers) and its good to see them finally introduce additional security measures – especially after reading articles for the past 12 months describing how CBA customer credentials are the most [...]
Not bad, 3000ft view, approach to getting IdM initiatives off the ground posted over on cio.com. Four steps to self-funding identity management Plagiarising Chris with my own 2c, here are the major steps: 1. Education: Identify the key business problems you need to solve. [AB] In large organisations, there are always people feeling the pain [...]
Wow. CA has made some major cuts to its local research and development workforce. There’s surely going to be some impact to their IAM products as a few notable pieces are developed out of Melbourne such as Identity Manager (parts of it anyway), Directory and SOA Security Manager (did this used to be transaction minder?). Being [...]
For those of us or with clients running Sun Identity Manager, there are 9 vulnerabilities addressed in the latest patch. The affected product versions include: Sun Java System Identity Manager 7.0 Sun Java System Identity Manager 7.1 Sun Java System Identity Manager 7.1.1 Sun Java System Identity Manager 8.0 Check the IT News article [...]
We’re living in interesting times. With share prices at an all time low for many tech giants, its a great time to go company shopping if you’re big and cashed up. I remember the days when Sun IM was the beez neez of provisioning and identity life-cycle management and IBM Tivoli IM still shipped with [...]
I’m sure it’s been around for long a time, but I’ve just come across Sun’s Identity Hero game. This definitely provides a chuckle (unless you’re an auditor or responsible for SOX) . Remember not to run over the “disgruntled employees” without an “Access Management” powerup. You’ll loose a life. I got to level 6 and [...]
Thanks to a meeting with a vendor just before Christmas, I recently became aware that there are more open source identity management projects out there than you think (or at least, more than I thought). Some are still in a pretty embryonic stage, but others have been around for a long time. Who knows, we [...]
This article came across my inbox the other day. Martha (the author) doesn’t really have a security / idm background, according to my (quick, possibly faulty) skim of her LinkedIn profile, so I was interested in her takeaway on security and SaaS and the role of identity in SaaS. Identity management does get a few [...]
Over the last few weeks I’ve been trying to be more active online. I’ve been tweeting, facebooking and more recently looking into LinkedIn groups. (I’d put a link here to my LinkedIn profile, but its in serious need of rework). I’m not sure if you’ve looked into this yourself, but so far I’ve uncovered 6 [...]
After days of toil, we’ve finally got the blog live. Identricity.com covers identity and access management news from Australia and around the world. Where does the name come from? I think the identity part is clear, but well, there are some ‘eccentricities’ in our industry – minor nuances that anyone involved in IdM/IAM/IM projects in [...]
Unconventional news and views on Identity and Access management